Anomaly vs Vulnerability Detection Using Cisco IPS

The Cisco IPS network based intrusion prevention system (NIPS) uses signatures to detect network-based attacks. Signatures can be created in a variety of engines based on the type of network traffic being inspected. Cisco signatures have very flexible configurations. In this blog post, I will discuss the trade-offs between two basic approaches for signature configuration: anomaly detection and vulnerability detection.

With Cisco IPS, anomaly detection is a broad approach of detecting malicious network activity. Signatures written to detect broad categories of anomalous activity will catch many different attack vectors, but at a cost. The parameters of a signature designed to detect an anomaly will often put a strain on the system running Cisco IPS in the form of memory or CPU usage, limiting the number of signatures that may be enabled. They also carry a high false positive risk due to their broad approach.

Vulnerability based signatures are targeted and require less overhead. These signatures normally target one or more attack vectors associated with a specific CVE. Their engine parameters typically use less memory and impact the CPU performance less on the IPS device, permitting more signatures to be active. They also allow the user to finely tune the configuration based on the types of vulnerable systems in a user’s network. False positive risk is low if the active signature set is tuned for a user’s network environment.

Given the size of the signature set and the limited resources on our legacy devices, Cisco IPS signature developers will focus on the vulnerability-based approach to signature development going forward. This will allow customers to deploy an efficient and safe signature configuration that detects the maximum number of common attack vectors for recent threats.

Customers seeking protection beyond the vulnerability-based approach will benefit from deploying other network security measures that are more effective at identifying and blocking less well-defined attacks.

Anti-virus products are effective for detecting malware that is active on the network.

Port access is filtered very efficiently by traditional firewall products.

Application firewalls control access to applications by filtering input, output and system service calls locally and over the network.

These devices narrow down the potential attack vectors, and in concert with our legacy, signature-based IPS devices, provide highly effective network security. While the Cisco IPS signature development team will be releasing fewer anomaly signatures in the future, we are available to create a limited number of custom detections for customers upon request. Custom signature request may be sent to ids-signature-team@cisco.com. Whether it is to detect an anomaly or for a threat not currently covered by the default signature set, a custom signature can fill a gap in an individual customer’s security profile. Custom signatures allow Cisco IPS to deliver targeted detection of threats of concern to some customers while leaving the default signature set more lightweight for most customers. Customers may also create their own custom signatures by utilizing the following guide: http://cs.co/9005BJPpv.

I think as the attacks grows day by day so the focus should be on inreasing the performance of the security box. Because the anomaly detection is very useful in the cases of zero-day attack detection. Some times going thorugh the protocols or system specifications we can reach to the conclusion that if mentioned behovior is exploited then there is a attack. If you take a simple example of windows there path name should not be greater than 260 bytes, so in this case we can write anomaly to detect the attack case by wirting anomaly, this is a simple example there are many more. On the other hand if we write vulnerability based signature then that will trigger on that vunerability only and if the traffic is obfuscated then the signature will be evaded. There are many pros and cons that needs to be think about.

Another easy way is to learn how to write snort rules.
more over you can have both Anomaly and vulnerability detection on NGIPS using correlation rules.
add to this the ability to correlate signatures to actual vulnerability on the targeted system will reduce time to protection window.

Some of the individuals posting to this site, including the moderators, work for Cisco Systems. Opinions expressed here and in any corresponding comments are the personal opinions of the original authors, not of Cisco. The content is provided for informational purposes only and is not meant to be an endorsement or representation by Cisco or any other party. This site is available to the public. No information you consider confidential should be posted to this site. By posting you agree to be solely responsible for the content of all information you contribute, link to, or otherwise upload to the Website and release Cisco from any liability related to your use of the Website. You also grant to Cisco a worldwide, perpetual, irrevocable, royalty-free and fully-paid, transferable (including rights to sublicense) right to exercise all copyright, publicity, and moral rights with respect to any original content you provide. The comments are moderated. Comments will appear as soon as they are approved by the moderator.